DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Users & security

Suggest Edits

What is the Users page?

The Users page allows administrators to manage individual user accounts, including creating, editing, and deleting accounts. It provides detailed control over user-specific settings, permissions, and roles within the Privileged Remote Access environment.

How is the Users page useful to my organization?

The Users page enables administrators to customize access and permissions for each user, ensuring security and proper role alignment. It also allows for efficient user management, helping to maintain compliance and support operational needs.

How do I access the Users page?

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. From the main menu, click Privileged Remote Access > Users & Security.
    The User & Security page opens and the Users tab displays by default.

The Users page


  1. Left menu: Easy access to all pages in Privilege Remote Access, including Home, Status, Consoles & Downloads, My Account, Configuration, Jump, Vault, Console Settings, Users & Security, Reports, Management, and Appliance pages.

  2. Status: Takes you to the Status page.

  3. Header: Change tenant site and obtain user profile setting information.

  4. Filter:- Search users based on Last Authenticated As, Display Name or Email Address.

  5. Users columns: The list of Users columns. Not all of the columns are displayed.

    Users columns
    • Last Authenticated As: The name of the user in the form of [email protected].
    • Display Name: The full name of the account. For example, "John Smith".
    • Last Authentication Date: The last date the user logged on.
    • Administrator: Defines whether the user is an administrator which is defined in General Permission section of the Users & Security > Group Policies page. The value of the column is Yes or No.

  6. Users list options: Edit or delete a user.

User accounts

This page is changed in Pathfinder. You can still search for users, edit the users, and obtain a user account report on the Users page. However, the ability to add new users and synchronize the users and groups associated with an external security provider is removed. There is now a single point of user management for all products hosted on Pathfinder. This is performed on the User Management page.

Search users

Search for a specific user account based on username, display name, or email address.

User account report

Export detailed information about your users for auditing purposes. Gather detailed information for all users, users from a specific security provider, or just local users. Information collected includes group policy and team memberships and permissions.

How do I access the User Management page?

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. Sign into the Administration tenant located in the upper-right hand corner with administrative permission.
  3. Click the hamburger menu hamburger menu to display a submenu. in the upper left-hand corner of the window.
  4. In the User Administration section, click User Management.
    The Organization Users page displays.

Add a new user

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. Sign into the Administration tenant located in the upper-right hand corner with administrative permission.
  3. Click the hamburger menu hamburger menu to display a submenu. in the upper left-hand corner of the window.
  4. In the User Administration section, click User Management.
    The Organization Users page displays.
  5. Click Invite User.
  6. In User Details section, enter an Email Address, First Name, and Last Name. All fields are required.
  7. In the User Permissions section, for Organization Role, select either Standard User or Administrator.
  8. For Site Access, select the site(s) and at least one application you wish to grant user access to.
  9. Click Invite User.

Edit a user

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. Sign into the Administration tenant located in the upper-right hand corner with administrative permission.
  3. Click the hamburger menu hamburger menu to display a submenu. in the upper left-hand corner of the window.
  4. In the User Administration section, click User Management.
    The Organization Users page displays.
  5. From a list of users, click the ellipsis ellipsis which displays an edit menu. .
  6. Click Edit User.
  7. Make the necessary changes, and then click Save Changes.

Memberships

Group policy memberships

This section lists of the group policies to which the user belongs and allows you to search or Add the policy to the user. Group policies selected for a user can be edited by clicking the name of the policy in the list. All policy maintenance is handled on the Users & Security > Group Policies page.

The user can be removed from one or more group policies by selecting the policy or policies and clicking Remove. The default policy cannot be selected.

ℹ️

Note

Other memberships do not display while a new user is being created. Once the new user has been saved, the other memberships appear, listing any to which the user may have been added, with links for updating these memberships and for reviewing or editing details about the memberships.

Team memberships

This membership lists the teams to which the user belongs.

Jumpoint memberships

This membership lists the Jumpoints which the user can access.

Jump Group memberships

This membership lists the Jump Groups to which the user belongs.

Vault account group memberships

This membership lists the Vault Account Groups to which the user belongs.

Account settings

Account never expires

When checked, the account never expires. When not checked, an account expiration date must be set.

Account expiration date

Causes the account to expire after a set date.

Account disabled

Allows you to disable the account so the user cannot log in. Disabling does NOT delete the account.

Comments

Add comments to help identify the purpose of this object.

General permissions

Administration

Administrative privileges

Grants the user full administrative rights.

Allowed to administer Vault

Enables the user access to the Vault.

Allowed to Administer Endpoint Automation

Enables the user access to Endpoint Automation.

Allowed to Set Passwords

Enables the user to set passwords and unlock accounts for non-administrative local users.

Allowed to Edit Jumpoints

Enables the user to create or edit Jumpoints. This option does not affect the user's ability to access remote computers via Jumpoint, which is configured per Jumpoint or group policy.

Allowed to Edit Teams

Enables the user to create or edit teams.

Allowed to Edit Jump Groups

Enables the user to create or edit Jump Groups.

Allowed to Edit Canned Scripts

Enables the user to create or edit canned scripts for use in screen sharing or command shell sessions.

Allowed to Edit Custom Links

Enables the user to create or edit custom links.

Reporting

Allowed to view access session reports

Enables the user to run reports on access session activity, viewing only sessions for which they were the primary session owner, only sessions for endpoints belonging to a Jump Group of which the user is a member, or all sessions.

Allowed to view access session recordings

Enables the user to view video recordings of screen sharing sessions and command shell sessions.

Allowed to view Vault reports

Enables the user to view his or her own vault events or all Vault events.

Allowed to view syslog reports

Enables the user to download a ZIP file containing all syslog files available on the appliance. Admins are automatically permissioned to access this report. Non-admin users must request access to view this report.

Access permissions

Access

Allowed to access endpoints

Enables the user to use the access console in order to run sessions. If endpoint access is enabled, options pertaining to endpoint access will also be available.

Session management

Allowed to share sessions with teams which they do not belong to

Enables the user to invite a less limited set of user to share sessions, not only their team members. Combined with the extended availability permission, this permission expands session sharing capabilities.

Allowed to invite external users

Enables the user to invite third-party users to participate in a session, one time only.

Allowed to enable extended availability mode

Enables the user to receive email invitations from other users requesting to share a session even when they are not logged into the access console.

Allowed to edit the external key

Enables the user to modify the external key from the session info pane of a session within the access console.

Remove User from session after inactivity

Sets the time interval to remove a user from a session after inactivity. Values range from No Timeout to 24 hours.

User to user screen sharing

Allowed to show screen to other users

Enables the user to share their screen with another user without the receiving user having to join a session. This option is available even if the user is not in a session.

Allowed to give control when showing screen to other users

Enables the user sharing their screen to give keyboard and mouse control to the user viewing their screen.

Jump Technology

Allowed Jump Item methods

Enables the user to Jump to computers using the following:

  • Jump Clients
  • Local Jump on the local network
  • Remote RDP (via a Jumpoint)
  • Shell Jump (via a Jumpoint)
  • Protocol Tunnel Jump (via a Jumpoint)
  • Remote Jump (via a Jumpoint)
  • Remote VNC (via a Jumpoint)

Jump Item Roles

A Jump Item Role is a predefined set of permissions regarding Jump Item management and usage. For each option, click Show to open the Jump Item Role in a new tab.

The Default role is used only when Use User's Default is set for that user in a Jump Group.

The Personal role applies only to Jump Items pinned to the user's personal list of Jump Items.

The Teams role applies to Jump Items pinned to the personal list of Jump Items of a team member of a lower role. For example, a team manager can view team leads' and team members' personal Jump Items, and a team lead can view team members' personal Jump Items.

The System role applies to all other Jump Items in the system. For most users, this should be set to No Access. If set to any other option, the user is added to Jump Groups to which they would not normally be assigned, and in the access console, they can see non-team members' personal lists of Jump Items.

ℹ️

Note

A new Jump Item Role called Auditor is automatically created on new site installations. On existing installations it has to be created. This role only has a single View Reports permission enabled, giving admins the option to grant a user just the permission to run Jump Item reports, without the need to grant any other permission.

External tools

Enable static port and username for external tool sessions

This option accepts two values:

  • Enable: Ensures that the port and username generated for a user starting a session with a jump item using external tools are preserved from session to session.
  • Disable: A new port number and username are randomly generated for that user every time they start a new session with each jump item.

Session permissions

Set the prompting and permission rules that should apply to this user's sessions. Choose an existing session policy or define custom permissions for this user. If Not Defined, the global default policy will be used. These permissions may be overridden by a higher policy.

Description

View the description of a pre-defined session permission policy.

Screen sharing

Screen sharing rules

Select the representative's and remote user's access to the remote system:

  • If Not Defined, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.
  • Deny disables screen sharing.
  • View Only allows the representative to view the screen.
  • View and Control allows the representative to view and take action on the system. If this is selected, endpoint restrictions can be set to avoid interference by the remote user:
    • None does not set any restrictions on the remote system.
    • Display, Mouse, and Keyboard disables these inputs. If this is selected, a check box is available to Automatically request a privacy screen on session start. Privacy screen is applicable only for sessions started from a Jump Client, a Remote Jump Item, or a Local Jump Item. We recommend using privacy screen for unattended sessions. The remote system must support privacy screen.

Clipboard synchronization direction

Select how clipboard content flows between users and endpoints. The options are:

  • Not allowed: The user is not allowed to use the clipboard, no clipboard icons display in the access console, and cut and paste commands do not work.
  • Allowed from Rep to Customer: The user can push clipboard content to the endpoint but cannot paste from the endpoint's clipboard. Only the Send clipboard icon displays in the access console.
  • Allowed in Both Directions: Clipboard content can flow both ways. Both Push and Get clipboard icons display in the access console.

Application sharing restrictions

This option limits access to specified applications on the remote system with either. There are three values:

  • None
  • Allow only the listed executables: Allows you to specify executables to allow as appropriate to your objectives.
  • Deny only the listed executables: Allows you to specify executables to deny as appropriate to your objectives.

You may also choose to allow or deny desktop access.

ℹ️

Note

  • This feature applies only to Windows operating systems.
  • The Add New Executable button only displays when the Application Share Restriction permission is enabled.

Add new executables

When you add executables, you have one of two choices:

  • Enter file names or SHA-256 hashes, one per line: Manually enter the executable file names or hashes you wish to allow or deny. Click Add Executable(s) when you are finished to add the chosen files to your configuration.
    You may enter up to 25 files per dialog. If you need to add more, click Add Executable(s) and then reopen the dialog.
  • Browse for one or more files: Choose executable files to automatically derive their names or hashes. If you select files from your local platform and system in this manner, use caution to ensure that the files are indeed executable files. No browser level verification is performed.
    • Choose either Use file name or Use file hash (advanced) to have the browser derive the executable file names or hashes automatically.
      Click Add Executable(s) when you are finished to add the chosen files to your configuration. You may enter up to 25 files per dialog. If you need to add more, click Add Executable(s) and then reopen the dialog.

ℹ️

Note

This option is available only in modern browsers, not in legacy browsers.

Allowed endpoint restrictions

Sets the option for the user to suspend the remote system's mouse and keyboard input. The user may also prevent the remote desktop from being displayed.

Annotations

Annotation rules

Enables the user to use annotation tools to draw on the remote system's screen. If Not Defined is enabled, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.

File transfer

File Transfer Rules

Enables the user to upload files to the remote system, download files from the remote system, or both. If Not Defined is enabled, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Accessible paths on the endpoint's filesystem

Allow the user to transfer files to or from any directories on the remote system or only specified directories.

Accessible paths on user's filesystem

Allow the user to transfer files to or from any directories on their local system or only specified directories.

Command shell

Shell Rules

Enables the user to issue commands on the remote computer through a virtual command line interface. If Not Defined is enabled, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy. Configure command filtering to prevent accidental use of commands that can be harmful to endpoint systems.

ℹ️

Note

Command shell access cannot be restricted for Shell Jump sessions.

Allowed Executable Command Patterns

Enables the user to search for a regex pattern that matches a shell prompt. For filtering to work, the Recognized Shell Prompts section on the Jump > Jump Item page must be set and only filter commands in a Shell Jump session.

System information

System Information Rules

Enables the user to see system information about the remote computer. If Not Defined is enabled, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy. You also have the option to set system information actions.

  • Allowed to use system information actions: Enables the user to interact with processes and programs on the remote system without requiring screen sharing. Kill processes; start, stop, pause, resume, and restart services; and uninstall programs.

Registry access

Registry Access Rules

Enables the user to interact with the registry on a remote Windows system without requiring screen sharing. You have the ability to do the following actions:

  • View, add, delete and edit keys
  • Search and import/export keys

Canned scripts

Canned Script Rules

Enables the user to run canned scripts that have been created for their teams. If Not Defined is enabled, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Session Termination Behavior

When the access session ends, automatically

Controls what action to happen when session ends. The following options are:

  • Not Defined
  • Do Nothing
  • Lock the computer
  • Logout the user (Only works on Windows hosts).

Allow users to override this setting per session

You can allow a user to override the session termination setting from the Summary tab in the console during a session.

Availability settings

Login schedule

Restrict user login to the following schedule

Set a schedule to define when users can log into the access console. Set the time zone you want to use for this schedule, and then add one or more schedule entries. For each entry, click Add Schedule Entry to set the start day and time and the end day and time.

If, for instance, the time is set to start at 8 am and end at 5 pm, a user can log in at any time during this window but may continue to work past the set end time. They are not, however, allowed to log back in after 5 pm.

Force logout when the schedule does not permit login

If stricter access control is required, check this option. This forces the user to log out at the scheduled end time. In this case, the user receives recurring notifications beginning 15 minutes prior to being disconnected. When the user is logged out, any owned sessions follow the session fallback rules.

Updated 14 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.